 
  

 






<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 
<html>

<!-- Mirrored from www.javapractices.com/topic/TopicAction.do;jsessionid=4FCCB481C702D708A7360133D128E359?Id=222 by HTTrack Website Copier/3.x [XR&CO'2010], Sun, 12 Jun 2011 17:27:06 GMT -->
<!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8"><!-- /Added by HTTrack -->
<head>
 <title>
  Java Practices -> Use extensions for fine-grained security
 </title>
 <link rel="stylesheet" type="text/css" href="../stylesheet8.css" media="all">
 
 <link rel="shortcut icon" href='../images/favicon.ico' type="image/vnd.microsoft.icon">
 <meta name="description" content="Concise presentations of java programming practices, tasks, and conventions, amply illustrated with syntax highlighted code examples.">
 
 <meta name='keywords' content='java,java programming,java practices,java idiom,java style,java design patterns,java coding conventions,'>
 
 
</head>
 
<body>


<div class='menu-bar'>
 
  <a href='../home/HomeAction.html' title='Table of Contents'>Home</a> |
  <a href='../vote/VoteSummaryAction-2.html' title='View Poll Results'>Poll</a> |
   
  <A href='../feedback/FeedbackAction451f-2.html?Operation=Show' title='Send Your Feedback'>Wiki</a> |
  <b><a href='../source/SourceAction-2.html' title='Grab Source Code'>Source Code</a></b><IMG class='no-margin' SRC="../images/goldstar.gif" ALT=""> |

  <a href='http://www.web4j.com/Java_Web_Application_Framework_Overview.jsp?From=1' title='Free Download - Java Web Application Framework'><b>WEB4J</b></a> |
  
  <a href='http://www.date4j.net/' title='Replacement for java.util.Date'><b>DATE4J</b></a> |

   <a href='../references/ReferencesAction-2.html' title='References'>Links</a>
   
  <form action='http://www.javapractices.com/search/SearchAction.do' method='get' class='search-form'>
   <input type='text' name='SearchTerms' value="" size=12 maxlength=50 class='search'>
   <input type='submit' value="Search">
  </form>
 
</div>

<P>



  

 






<p class="display-messages">

 

 

</p>


<div class="main-layout">
 
   

 




<div class='page-title'>Use extensions for fine-grained security</div>

<div class='main-body'>
 <br>
The <tt>&lt;security-constraint&gt;</tt> item in <tt>web.xml</tt> implements <i>role-based</i> security restrictions for your web application.
It's <tt>&lt;http-method&gt;</tt> attribute lets you to specify <tt>POST</tt>, <tt>GET</tt> and so on, to restrict what kind of action is taken.

<P>However, there's a big problem with this technique: <span class='highlight'>browsers typically implement <em>only</em> 
<tt>POST</tt> and <tt>GET</tt>; they typically don't implement <tt>PUT</tt> and <tt>DELETE</tt>.</span>
This means that <tt>&lt;http-method&gt;</tt> is not very useful, in practice, for 
implementing <em>fine-grained</em> security constraints.

<P>(It's important to note that the role-based security restrictions defined by the servlet specification do nothing for restrictions based on <i>ownership</i> of data, such as seen in many public web sites.
Such restrictions prevent one user from editing items created by some other user, for example.)

<P>There is an alternative to using <tt>&lt;http-method&gt;</tt>: use the extension appearing in the URL.
In this case, URLs take the form:
<ul>
<li><tt>.../Account.list</tt>
<li><tt>.../Account.add</tt>
<li><tt>.../Account.delete</tt>
<li><tt>.../Account.fetch?Id=45</tt>
</ul>

<P>When thinking of security, it's natural to think in terms of <em>nouns</em> and <em>verbs</em>:
<ul>
<li>what is being operated on - the noun
<li>what exactly is being done to it - the verb
</ul>

<P>In the above example, <tt>Account</tt> is the noun, while the extension (<tt>.list</tt>, <tt>.add</tt>, and so on) is the verb.
With this style, any degree of granularity for security constraints can be implemented.
One can mix and match the nouns and the verbs independently of each other, in a natural way.


<P><b>Example 1</b> 
<BR>Only a <tt>manager</tt> can perform this specific delete operation :
<PRE>
&lt;security-constraint&gt;
 &lt;web-resource-collection&gt;
  &lt;web-resource-name&gt;Deleting Members&lt;/web-resource-name&gt;
  &lt;url-pattern&gt;/main/member/MemberAction.delete&lt;/url-pattern&gt;
 &lt;/web-resource-collection&gt;
 &lt;auth-constraint&gt;
  &lt;role-name&gt;manager&lt;/role-name&gt;
 &lt;/auth-constraint&gt;
&lt;/security-constraint&gt;
</PRE>



<P><b>Example 2</b> 
<BR>
<BR>A <tt>reader</tt> can read, but not write to the database :
<PRE>
&lt;security-constraint&gt;
 &lt;web-resource-collection&gt;
  &lt;web-resource-name&gt;View Operations&lt;/web-resource-name&gt;
  &lt;url-pattern&gt;*.list&lt;/url-pattern&gt;
  &lt;url-pattern&gt;*.fetch&lt;/url-pattern&gt;
 &lt;/web-resource-collection&gt;
 &lt;auth-constraint&gt;
  &lt;role-name&gt;reader&lt;/role-name&gt;
 &lt;/auth-constraint&gt;
&lt;/security-constraint&gt;
</PRE>


<P><b>Example 3</b> 
<BR>
<BR>An <tt>editor</tt> can both read and write to a database :
<PRE>
&lt;security-constraint&gt;
 &lt;web-resource-collection&gt;
  &lt;web-resource-name&gt;Edit Operations&lt;/web-resource-name&gt;
  &lt;url-pattern&gt;*.list&lt;/url-pattern&gt;
  &lt;url-pattern&gt;*.fetch&lt;/url-pattern&gt;
  &lt;url-pattern&gt;*.add&lt;/url-pattern&gt;
  &lt;url-pattern&gt;*.change&lt;/url-pattern&gt;
  &lt;url-pattern&gt;*.delete&lt;/url-pattern&gt;
  &lt;url-pattern&gt;*.fetchForChange&lt;/url-pattern&gt;
 &lt;/web-resource-collection&gt;
 &lt;auth-constraint&gt;
  &lt;role-name&gt;editor&lt;/role-name&gt;
 &lt;/auth-constraint&gt;
&lt;/security-constraint&gt;
</PRE>


<P><b>Example 4</b> 
<BR>
<BR>Only an <tt>webmaster</tt> can access URLs starting with <tt>/webmaster/*</tt> :
<PRE>
&lt;security-constraint&gt;
 &lt;web-resource-collection&gt;
  &lt;web-resource-name&gt;Webmaster&lt;/web-resource-name&gt;
  &lt;url-pattern&gt;/webmaster/*&lt;/url-pattern&gt;
 &lt;/web-resource-collection&gt;
 &lt;auth-constraint&gt;
  &lt;role-name&gt;webmaster&lt;/role-name&gt;
 &lt;/auth-constraint&gt;
&lt;/security-constraint&gt;
</PRE>

<P><b>Example 5</b> 
<BR>
<BR>Only an <tt>megawebmaster</tt> can access <tt>/webmaster/Logs.delete</tt> :
<PRE>
&lt;security-constraint&gt;
 &lt;web-resource-collection&gt;
  &lt;web-resource-name&gt;Log Deletion&lt;/web-resource-name&gt;
  &lt;url-pattern&gt;/webmaster/Logs.delete&lt;/url-pattern&gt;
 &lt;/web-resource-collection&gt;
 &lt;auth-constraint&gt;
  &lt;role-name&gt;megawebmaster&lt;/role-name&gt;
 &lt;/auth-constraint&gt;
&lt;/security-constraint&gt;
</PRE>

<P>Here's a table showing whether access is granted in various cases, given the above constraints:

<table width="80%" align="CENTER" border=1 CELLSPACING="0" CELLPADDING="3">
<tr>
 <th>For User With Role(s)</th>
 <th>Accessing URL</th>
 <th>Allow Access?</th>
</tr>
<tr>
 <td>editor</td>
 <td>../Account.list</td>
 <td align='center'>Y</td>
</tr>
<tr>
 <td>editor</td>
 <td>../Account.delete</td>
 <td align='center'>Y</td>
</tr>
<tr>
 <td>reader</td>
 <td>../Account.list</td>
 <td align='center'>Y</td>
</tr>
<tr>
 <td>reader</td>
 <td>../Account.delete</td>
 <td align='center'>N</td>
</tr>
<tr>
 <td>editor</td>
 <td>/main/member/MemberAction.delete</td>
 <td align='center'>N</td>
</tr>
<tr>
 <td>reader, manager</td>
 <td>/main/member/MemberAction.delete</td>
 <td align='center'>Y</td>
</tr>
<tr>
 <td>reader</td>
 <td>/webmaster/Logs.list</td>
 <td align='center'>N</td>
</tr>
<tr>
 <td>webmaster</td>
 <td>/webmaster/Logs.list</td>
 <td align='center'>Y</td>
</tr>
<tr>
 <td>webmaster</td>
 <td>/webmaster/Logs.delete</td>
 <td align='center'>N</td>
</tr>
</table>

<br>
<br>

</div>





<div class='topic-section'>Would you use this technique?</div>
<div class='main-body'>
  
  <form action="http://www.javapractices.com/vote/AddVoteAction.do" method='post'>
    Yes<input type='radio' name='Choice' value='Y' >
    &nbsp;&nbsp;No<input type='radio' name='Choice' value='N'>
    &nbsp;&nbsp;Undecided<input type='radio' name='Choice' value="?" >
    &nbsp;&nbsp;<input type=submit value="Vote" >
    <input type='hidden' name='Operation' value='Apply'>
    <input type='hidden' name='TopicId' value='222'>
  </form>
</div>

<div style='height:10.0em;'></div>

 
 
</div>

  

 





<div align='center' class='legalese'>  
&copy; 2011 Hirondelle Systems |
<a href='../source/SourceAction-2.html'><b>Source Code</b></a><IMG class='no-margin' SRC="../images/goldstar.gif" ALT=""> |
<a href="mailto:webmaster@javapractices.com">Contact</a> |
<a href="http://creativecommons.org/licenses/by-nc-sa/1.0/">License</a> |
<a href='../apps/cjp.rss'>RSS</a>
<!-- ukey="2AC36CD2" -->
<!-- ckey="16DF3D87" -->
<br>

 Individual code snippets can be used under this <a href='../LICENSE.txt'>BSD license</a> - Last updated on June 6, 2010.<br>
 Over 150,000 unique IPs last month - <span title='Java Practices 2.6.5, Mon May 16 00:00:00 EDT 2011'>Built with</span> <a href='http://www.web4j.com/'>WEB4J</a>.<br>
 - In Memoriam : Bill Dirani -
</div>

<script src="../../www.google-analytics.com/urchin.js" type="text/javascript">
</script>
<script type="text/javascript">
_uacct = "UA-2633428-1";
urchinTracker();
</script>



</body>

<!-- Mirrored from www.javapractices.com/topic/TopicAction.do;jsessionid=4FCCB481C702D708A7360133D128E359?Id=222 by HTTrack Website Copier/3.x [XR&CO'2010], Sun, 12 Jun 2011 17:27:06 GMT -->
<!-- Added by HTTrack --><meta http-equiv="content-type" content="text/html;charset=UTF-8"><!-- /Added by HTTrack -->
</html>
